<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/"><channel><title>NSX Corfu Certificate Replacement on Cosmin.us</title><link>https://cosmin.us/series/nsx-corfu-certificate-replacement/</link><description>Recent content in NSX Corfu Certificate Replacement on Cosmin.us</description><generator>Hugo</generator><language>en-US</language><dc:creator>Cosmin Trif</dc:creator><lastBuildDate>Fri, 07 Jul 2023 21:27:17 +0000</lastBuildDate><atom:link href="https://cosmin.us/series/nsx-corfu-certificate-replacement/index.xml" rel="self" type="application/rss+xml"/><item><title>Replacing the idps reporting Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-idps-reporting-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 21:27:15 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-idps-reporting-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the idps reporting Corfu certificate in NSX Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-certificate"&gt;Identifying the Expired Certificate&lt;/h2&gt;
&lt;p&gt;In my case the &lt;a href="https://cosmin.us/replacing-the-cluster-manager-corfu-certificate-in-nsx/"&gt;cluster manager Corfu certificate&lt;/a&gt; has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-58-1024x189.webp" alt="Expired certificate warning, options to import or generate new." width="1024" height="189" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-new-self-signed-certificate"&gt;Generating a New Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the idps reporting Corfu certificate in NSX Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-certificate"&gt;Identifying the Expired Certificate&lt;/h2&gt;
&lt;p&gt;In my case the &lt;a href="https://cosmin.us/replacing-the-cluster-manager-corfu-certificate-in-nsx/"&gt;cluster manager Corfu certificate&lt;/a&gt; has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-58-1024x189.webp" alt="Expired certificate warning, options to import or generate new." width="1024" height="189" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-new-self-signed-certificate"&gt;Generating a New Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-59-755x1024.webp" alt="Self-signed certificate setup form for NSX IDPS reporting Corfu client, with fields like Common Name, Organization Name, Key Size, and Number of days." width="755" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-60-1024x215.webp" alt="Table shows certificate details for IDPS reporting Corfu client, self-signed cert." width="1024" height="215" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="applying-the-certificate-via-the-nsx-api"&gt;Applying the Certificate via the NSX API&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_IDPS_REPORTING&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details: Version 4.1.0.2, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="Headers section with Content-Type set to application/json." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;0cc2f4f0-f409-4849-bf01-cfe454349a12&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_IDPS_REPORTING&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-61-1024x266.webp" alt="API request body with cert ID and service type for NSX IDPS reporting." width="1024" height="266" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response showing 200 OK status, 2.44 seconds, 527 bytes, with options to save response." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-new-certificate"&gt;Verifying the New Certificate&lt;/h2&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-62-1024x218.webp" alt="Certificate management interface shows expired and valid certificates, with options to import or generate new ones." width="1024" height="218" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="deleting-the-old-certificate"&gt;Deleting the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was removing the old certificate by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-63-1024x355.webp" alt="Expired certificate warning, options to import, generate, delete, export, and copy ID." width="1024" height="355" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;The same process applies to the other Corfu services — for example, see &lt;a href="https://cosmin.us/replacing-the-ar-corfu-certificate-in-nsx/"&gt;replacing the AR Corfu certificate&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Replacing the cluster manager Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-cluster-manager-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 21:11:24 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-cluster-manager-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the cluster manager Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the cluster manager Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-51-1024x187.webp" alt="Expired certificate details for NSX cluster manager Corfu client." width="1024" height="187" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate"&gt;Generating a Self Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the cluster manager Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the cluster manager Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-51-1024x187.webp" alt="Expired certificate details for NSX cluster manager Corfu client." width="1024" height="187" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate"&gt;Generating a Self Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-52-754x1024.webp" alt="Fields for creating a self-signed certificate, including Common Name, Algorithm, Key Size, and Number of days." width="754" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-53-1024x178.webp" alt="UI element with a certificate ID and a “Service Certificate” option." width="1024" height="178" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="replacing-the-certificate-via-the-api"&gt;Replacing the Certificate via the API&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_CLUSTER_MANAGER&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details: Version 4.1.0.2, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="Headers tab in a tool, listing Content-Type as application/json." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;0d77eb4c-b305-41a1-b0c4-da7260191d6d&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_CLUSTER_MANAGER&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-55-1024x330.webp" alt="JSON body with fields for cert ID and service type in a request setup." width="1024" height="330" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response showing 200 OK status, 527 bytes, and 2.44 seconds latency." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-new-certificate"&gt;Verifying the New Certificate&lt;/h2&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-57-1024x224.webp" alt="Certificates, one expired, one valid, for cluster manager Corfu." width="1024" height="224" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="removing-the-old-certificate"&gt;Removing the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was &lt;a href="https://cosmin.us/certificate-delete-failed-certificate-cannot-be-deleted-because-it-is-used-by-1-mp-node/"&gt;removing the old certificate&lt;/a&gt; by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-56-1024x416.webp" alt="Certificate management with options to delete, export, or copy ID." width="1024" height="416" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;I have similar walkthroughs for the &lt;a href="https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/"&gt;MP Corfu certificate&lt;/a&gt; and the &lt;a href="https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/"&gt;CCP Corfu certificate&lt;/a&gt; in NSX.&lt;/p&gt;</content:encoded></item><item><title>Replacing the Monitoring Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-monitoring-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 20:57:03 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-monitoring-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the Monitoring Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-45-1024x188.webp" alt="Expired Monitoring Corfu certificate with details and error." width="1024" height="188" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate"&gt;Generating a Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the Monitoring Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-45-1024x188.webp" alt="Expired Monitoring Corfu certificate with details and error." width="1024" height="188" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate"&gt;Generating a Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-47-752x1024.webp" alt="UI for generating a self-signed certificate with fields like Common Name, Organization Name, and Key Size visible." width="752" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-48-1024x226.webp" alt="Table with certificate details, including name, type, ID, and service certificate status." width="1024" height="226" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="replacing-the-certificate-via-api"&gt;Replacing the Certificate via API&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_MONITORING&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details: Version 4.1.0.2.0.21761695, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields shown." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="In a Postman request setup, a header labeled “Content-Type” is set to “application/json." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;de5aed8d-cc84-4d0b-b487-8b6be2a022ba&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_MONITORING&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-46-1024x242.webp" alt="JSON body with fields for cert ID and service type in a request setup." width="1024" height="242" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response showing 200 OK status, 2.44 seconds, 527 bytes, and response options." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-new-certificate"&gt;Verifying the New Certificate&lt;/h2&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-49-1024x217.webp" alt="Expired and valid certificates for Monitoring Corfu, highlighting the need for replacement." width="1024" height="217" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="removing-the-old-certificate"&gt;Removing the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was removing the old certificate by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-50-1024x350.webp" alt="Certificate management with expired certificate warning, delete option visible." width="1024" height="350" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;The same procedure applies to the other Corfu services as well, for example the &lt;a href="https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/"&gt;CCP Corfu certificate&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Replacing the CSM Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-csm-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 20:16:48 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-csm-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate. I covered the same procedure for the &lt;a href="https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/"&gt;MP Corfu certificate&lt;/a&gt; and the &lt;a href="https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/"&gt;CCP Corfu certificate&lt;/a&gt; in separate posts.&lt;/p&gt;
&lt;h2 id="the-expired-csm-corfu-certificate"&gt;The Expired CSM Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the CSM Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-40-1024x185.webp" alt="Expired certificate alert shown for CSM Corfu client certificate." width="1024" height="185" loading="lazy" decoding="async"&gt;
&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate. I covered the same procedure for the &lt;a href="https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/"&gt;MP Corfu certificate&lt;/a&gt; and the &lt;a href="https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/"&gt;CCP Corfu certificate&lt;/a&gt; in separate posts.&lt;/p&gt;
&lt;h2 id="the-expired-csm-corfu-certificate"&gt;The Expired CSM Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the CSM Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-40-1024x185.webp" alt="Expired certificate alert shown for CSM Corfu client certificate." width="1024" height="185" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-new-self-signed-certificate"&gt;Generating a New Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-41-750x1024.webp" alt="Fields for creating a self-signed certificate, including Common Name, Name, Organization Unit, etc." width="750" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-42-1024x177.webp" alt="Table with columns for Name, Type, and Issued To, displaying a self-signed certificate for a node." width="1024" height="177" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="applying-the-certificate-via-the-nsx-api"&gt;Applying the Certificate via the NSX API&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_CSM&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details: Version 4.1.0.2.0.21761695, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="“Headers” tab with “Content-Type: application/json” selected." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;65f3c890-485c-4c54-b80a-51cef8db7124&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_CSM&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-37-1024x293.webp" alt="JSON body with “cert_id” and “service_type” fields for a certificate replacement in NSX." width="1024" height="293" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response with 200 OK status, 527 B, and 2.44 s delay." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-new-certificate"&gt;Verifying the New Certificate&lt;/h2&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-43-1024x223.webp" alt="Certificate management page shows expired and valid certificates, with options to import or generate." width="1024" height="223" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="deleting-the-old-certificate"&gt;Deleting the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was removing the old certificate by clicking on the 3 dots to left and picking delete from the menu. If the delete fails because the certificate is still in use by a node, see &lt;a href="https://cosmin.us/certificate-delete-failed-certificate-cannot-be-deleted-because-it-is-used-by-1-mp-node/"&gt;this fix&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-44-1024x571.webp" alt="Expired certificate warning, options to delete, export, or copy ID." width="1024" height="571" loading="lazy" decoding="async"&gt;
&lt;/p&gt;</content:encoded></item><item><title>Replacing the GM Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-gm-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 20:10:51 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-gm-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate. The same overall flow applies to the other NSX Corfu services as well — I covered the &lt;a href="https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/"&gt;MP Corfu&lt;/a&gt; and &lt;a href="https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/"&gt;CCP Corfu&lt;/a&gt; certificate replacements in separate posts.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-gm-corfu-certificate"&gt;Identifying the Expired GM Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the GM Corfu certificate has already expired&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate. The same overall flow applies to the other NSX Corfu services as well — I covered the &lt;a href="https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/"&gt;MP Corfu&lt;/a&gt; and &lt;a href="https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/"&gt;CCP Corfu&lt;/a&gt; certificate replacements in separate posts.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-gm-corfu-certificate"&gt;Identifying the Expired GM Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the GM Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-34-1024x185.webp" alt="Expired GM Corfu certificate details with expiration date." width="1024" height="185" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate"&gt;Generating a Self Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-35-754x1024.webp" alt="Setting up a self-signed certificate for GM Corfu client in NSX." width="754" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-36-1024x235.webp" alt="Certificate entry labeled “GM-Corfu Client certificate for node 1…” with an ID of 570dace5-8c8a-4f0f-a08f-69dc2054285b." width="1024" height="235" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="applying-the-new-certificate-via-api"&gt;Applying the New Certificate via API&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_MP&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details: Version 4.1.0.2.0.21761695, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields visible." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="Headers tab with Content-Type set to application/json in a request setup." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;570dace5-8c8a-4f0f-a08f-69dc2054285b&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_GM&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-37-1024x293.webp" alt="Form fields for cert ID and service type, ready for input." width="1024" height="293" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response showing 200 OK status, 2.44 seconds, 527 bytes." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-new-certificate"&gt;Verifying the New Certificate&lt;/h2&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-38-1024x236.webp" alt="Certificate management interface shows expired and valid certificates, highlighting the need for replacement." width="1024" height="236" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="deleting-the-old-certificate"&gt;Deleting the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was removing the old certificate by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-39-1024x375.webp" alt="Expired certificate, delete option available." width="1024" height="375" loading="lazy" decoding="async"&gt;
&lt;/p&gt;</content:encoded></item><item><title>Replacing the MP Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 19:46:06 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the MP Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-28-1024x186.webp" alt="Expired certificate warning shown for MP Corfu Client certificate." width="1024" height="186" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-new-self-signed-certificate"&gt;Generating a New Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the MP Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-28-1024x186.webp" alt="Expired certificate warning shown for MP Corfu Client certificate." width="1024" height="186" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-new-self-signed-certificate"&gt;Generating a New Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-29-758x1024.webp" alt="UI for generating a self-signed certificate with fields like Common Name, Name, Organization Unit, etc., shown." width="758" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-30-1024x241.webp" alt="Certificate details panel with fields like Name, Type, Issued To, ID, and Service Certificate." width="1024" height="241" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="building-the-trust-management-api-call"&gt;Building the Trust-Management API Call&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_MP&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details: Version 4.1.0.2.0.21761695, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields shown." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="Headers tab shows Content-Type set to application/json in API request." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;e060f100-5e5a-42c8-b735-0cb58f944b43&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_MP&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-31-1024x261.webp" alt="JSON body with fields for cert ID and service type in a request setup." width="1024" height="261" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-certificate-replacement"&gt;Verifying the Certificate Replacement&lt;/h2&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response shows 200 OK status, 2.44 seconds, 527 bytes." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-32-1024x227.webp" alt="Certificates list shows expired and valid certificates for MP Corfu, indicating replacement." width="1024" height="227" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="removing-the-old-certificate"&gt;Removing the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was &lt;a href="https://cosmin.us/certificate-delete-failed-certificate-cannot-be-deleted-because-it-is-used-by-1-mp-node/"&gt;removing the old certificate&lt;/a&gt; by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-33.png" alt="Certificate management with expired warning, search filter, and options like delete, export, and copy ID." width="914" height="686" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;If you also need to renew the &lt;a href="https://cosmin.us/replacing-the-corfu-api-certificate-in-nsx/"&gt;Corfu API certificate&lt;/a&gt;, the process is very similar and I covered it in a separate guide.&lt;/p&gt;</content:encoded></item><item><title>Replacing the CCP Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 18:51:48 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-ccp-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the CCP Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-21-1024x33.webp" alt="CCP-Corfu Client certificate expired on July 18, 2022." width="1024" height="33" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate"&gt;Generating a Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;p&gt;In my case the CCP Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-21-1024x33.webp" alt="CCP-Corfu Client certificate expired on July 18, 2022." width="1024" height="33" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate"&gt;Generating a Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-22-751x1024.webp" alt="Self-signed certificate creation wizard for CCP Corfu client." width="751" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-24-1024x185.webp" alt="CCP-Corfu Client certificate ID: 7502886f-7950-434a-8af3-dab9779c3e71" width="1024" height="185" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="preparing-the-trust-management-api-call"&gt;Preparing the Trust-Management API Call&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_CCP&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details show version, deployment type, transport nodes, UUID, and cert thumbprint." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="Headers section with Content-Type set to application/json for API request." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="sending-the-apply-certificate-request"&gt;Sending the Apply Certificate Request&lt;/h2&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;5a6f1a51-95ec-45f3-8b7a-92ac2abd75cb&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_CCP&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-25-1024x255.webp" alt="Postman request body with JSON fields for cert ID and service type." width="1024" height="255" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response shows 200 OK status with 527 B size in NSX documentation." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-new-certificate"&gt;Verifying the New Certificate&lt;/h2&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-26-1024x141.webp" alt="CCP-Corfu certificates, one expired, one valid." width="1024" height="141" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="deleting-the-old-certificate"&gt;Deleting the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was removing the old certificate by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-27.png" alt="Certificate management with expired warning, CCP-Corfu certificate, and delete/export options." width="854" height="608" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;If the delete fails with a &amp;ldquo;Certificate cannot be deleted because it is used by 1 MP node&amp;rdquo; error, I covered the fix in &lt;a href="https://cosmin.us/certificate-delete-failed-certificate-cannot-be-deleted-because-it-is-used-by-1-mp-node/"&gt;this post&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Replacing the AR Corfu certificate in NSX</title><link>https://cosmin.us/replacing-the-ar-corfu-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 17:18:16 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-ar-corfu-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-ar-corfu-certificate"&gt;Identifying the Expired AR Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the AR Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-15-1024x190.webp" alt="Expired certificate alert in NSX UI, showing AR Corfu client certificate details." width="1024" height="190" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate-in-the-nsx-ui"&gt;Generating a Self-Signed Certificate in the NSX UI&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-ar-corfu-certificate"&gt;Identifying the Expired AR Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the AR Corfu certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-15-1024x190.webp" alt="Expired certificate alert in NSX UI, showing AR Corfu client certificate details." width="1024" height="190" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-self-signed-certificate-in-the-nsx-ui"&gt;Generating a Self-Signed Certificate in the NSX UI&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-17-758x1024.webp" alt="Fields for creating a self-signed certificate, including Common Name, Organization Unit, and Algorithm options." width="758" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-18-1024x501.webp" alt="Expired certificate warning shown, new certificate ID needed for NSX." width="1024" height="501" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="applying-the-certificate-via-the-trust-management-api"&gt;Applying the Certificate via the Trust-Management API&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=CBM_AR&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details show version, deployment type, transport nodes, UUID, and cert thumbprint." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="In a Postman request, the Headers tab shows Content-Type set to application/json." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;625fb6e6-00ff-4c59-9275-0e7583bcb0c7&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;CBM_AR&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-20-1024x282.webp" alt="Form data for replacing AR Corfu certificate in NSX, including cert ID and service type." width="1024" height="282" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response showing 200 OK status, 527 B, 2.44 s latency." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-and-removing-the-old-certificate"&gt;Verifying and Removing the Old Certificate&lt;/h2&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-12-1024x231.webp" alt="Expired certificate listed under NSX API-Corfu." width="1024" height="231" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;The final step I did was removing the old certificate by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-8.png" alt="Expired certificate warning, local filter, and options to delete/export/copy ID." width="800" height="524" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;If other Corfu certificates have expired as well, I covered replacing the &lt;a href="https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/"&gt;MP Corfu certificate&lt;/a&gt; and the &lt;a href="https://cosmin.us/replacing-the-cluster-manager-corfu-certificate-in-nsx/"&gt;cluster manager Corfu certificate&lt;/a&gt; in separate posts.&lt;/p&gt;</content:encoded></item><item><title>Replacing the Corfu API certificate in NSX</title><link>https://cosmin.us/replacing-the-corfu-api-certificate-in-nsx/</link><pubDate>Fri, 07 Jul 2023 16:29:11 +0000</pubDate><dc:creator>Cosmin Trif</dc:creator><guid>https://cosmin.us/replacing-the-corfu-api-certificate-in-nsx/</guid><description>&lt;p&gt;In this blog we will go over replacing the Corfu API certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-corfu-certificate"&gt;Identifying the Expired Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the Corfu API certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-9-1024x186.webp" alt="Expired certificate warning shown for API-Corfu client certificate." width="1024" height="186" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-new-self-signed-certificate"&gt;Generating a New Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;</description><content:encoded>&lt;p&gt;In this blog we will go over replacing the Corfu API certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate.&lt;/p&gt;
&lt;h2 id="identifying-the-expired-corfu-certificate"&gt;Identifying the Expired Corfu Certificate&lt;/h2&gt;
&lt;p&gt;In my case the Corfu API certificate has already expired&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-9-1024x186.webp" alt="Expired certificate warning shown for API-Corfu client certificate." width="1024" height="186" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="generating-a-new-self-signed-certificate"&gt;Generating a New Self-Signed Certificate&lt;/h2&gt;
&lt;p&gt;In the top menu bar I went to Generate -&amp;gt; Generate Self Signed Certificate&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-13-751x1024.webp" alt="Self-signed certificate wizard step showing fields for Common Name, Name, Organization, etc." width="751" height="1024" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Next I had to grab the new certificate ID&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-3-1024x193.webp" alt="LocalManager entry with an ID and a Service Certificate option set to No." width="1024" height="193" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="applying-the-new-certificate-via-the-nsx-api"&gt;Applying the New Certificate via the NSX API&lt;/h2&gt;
&lt;p&gt;The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.&lt;/p&gt;
&lt;p&gt;The URL for the post call would go against &lt;code&gt;https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&amp;amp;service_type=API&amp;amp;node_id=node_id&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The node ID can be found under Appliances -&amp;gt; View details on node, the value to the right for UUID ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-10.png" alt="Appliance details: Version 4.1.0.2.0.21761695, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields." width="976" height="650" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;For authentication I used basic, per best practices we should be using a token.&lt;/p&gt;
&lt;p&gt;For headers had to add Content-Type application\json ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-4-1024x314.webp" alt="Headers tab with Content-Type set to application/json." width="1024" height="314" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;In the body I picked raw and added the following in&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nt"&gt;&amp;#34;cert_id&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;79a25913-643a-4aa0-9d1b-0262e2a706b0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;#34;service_type&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;API&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The cert ID is from the certificate I generated earlier. ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-11-1024x295.webp" alt="Body with JSON input fields for cert ID and service type." width="1024" height="295" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="verifying-the-new-certificate"&gt;Verifying the New Certificate&lt;/h2&gt;
&lt;p&gt;Once I clicked send I was presented back with a 200 OK&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-6-1024x208.webp" alt="API response shows 200 OK, 2.44 seconds, 527 bytes." width="1024" height="208" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;Going in the web browser I can also see that the new certificate is now used and the old one doesn&amp;rsquo;t have anything assigned to it ex&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-12-1024x231.webp" alt="Expired certificate with “Expired Certificate(s)” error." width="1024" height="231" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;h2 id="removing-the-old-certificate"&gt;Removing the Old Certificate&lt;/h2&gt;
&lt;p&gt;The final step I did was &lt;a href="https://cosmin.us/certificate-delete-failed-certificate-cannot-be-deleted-because-it-is-used-by-1-mp-node/"&gt;removing the old certificate&lt;/a&gt; by clicking on the 3 dots to left and picking delete from the menu&lt;/p&gt;
&lt;p&gt;&lt;img src="https://cosmin.us/images/2023/07/image-8.png" alt="Expired certificate warning, local context, delete/export options." width="800" height="524" loading="lazy" decoding="async"&gt;
&lt;/p&gt;
&lt;p&gt;NSX has several other Corfu certificates that expire the same way; for example, I covered replacing the &lt;a href="https://cosmin.us/replacing-the-mp-corfu-certificate-in-nsx/"&gt;MP Corfu certificate&lt;/a&gt; in a separate guide.&lt;/p&gt;</content:encoded></item></channel></rss>